summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2017-05-05 07:40:42 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2017-05-08 08:03:01 +0200
commitd90c902449a7561f1b1d58ba5a0d11728ce8b0b2 (patch)
tree5e0505f4a86aa0a1a77cb9c1b300865c51ccddb6 /net
parentxfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY (diff)
downloadlinux-d90c902449a7561f1b1d58ba5a0d11728ce8b0b2.tar.xz
linux-d90c902449a7561f1b1d58ba5a0d11728ce8b0b2.zip
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
The sadb_x_sec_len is stored in the unit 'byte divided by eight'. So we have to multiply this value by eight before we can do size checks. Otherwise we may get a slab-out-of-bounds when we memcpy the user sec_ctx. Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net')
-rw-r--r--net/key/af_key.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c1950bb14735..512dc43d0ce6 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
p += pol->sadb_x_policy_len*8;
sec_ctx = (struct sadb_x_sec_ctx *)p;
if (len < pol->sadb_x_policy_len*8 +
- sec_ctx->sadb_x_sec_len) {
+ sec_ctx->sadb_x_sec_len*8) {
*dir = -EINVAL;
goto out;
}